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Abstract — Copyright protection is a major issue in distributing 
digital content. On tlie otlier liand, improvements to usability 
are sought by content users. In this paper, we propose a secure 
traitor tracing scheme against key exposure (TTaKE) which contains 
the properties of both a traitor tracing scheme and a forward 
secure pubUc key cryptosystem. Its structure fits current digital 
broadcasting systems and it may be useful in preventing traitors 
from mailing illegal decoders and in minimizing the damage from 
accidental key exposure. It can improve usability through these 
properties. 

I. Introduction 

Background: In recent years, the bandwidth available for 
Internet access has become wider, personal computers have 
become widespread, and high-density storage media has be- 
come inexpensive. As a result, it has become much easier for 
audio and video content in digital form to be copied and re- 
distributed illegally. 

Several methods of protecting copyrighted work from illegal 
distribution have been developed. Content providers (CPs) 
distribute decoders that contain secret keys and send en- 
crypted content to users, who decode it with their secret keys. 
Moreover, to deter users to use secret keys illegally, traitor 
tracing methods (TTs) have been developed [2], [3], [4], [5], 
[8], [9], [10]. When a pirate decoder (PD) is found, these 
methods are used to check the secret keys in the PD and trace 
traitors. Furthermore, various countermeasures against secret 
key exposure have been developed to minimize its damage [1], 
[6], [7]. They employ user's secret key updating and limit its 
valid period. 

When a TT is used, the risk of secret key exposure must 
be kept in mind, and a protocol that minimizes the damage 
due to key exposure is necessary. What is needed is a secure 
traitor tracing scheme against key exposure. 
Application: When users receive content distribution service 
at home, they store their secret keys in their security devices 
such as IC cards installed in their receivers and use their 
secret keys to decrypt the encrypted content. Current digital 
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broadcasting systems often use an IC card as a tamper resistant 
module (TRM). The secret key is stored in the IC card and 
users are able to receive its service only at home, because 
they can neither extract their secret keys from their TRMs nor 
copy them. If it were possible to copy their secret keys, users 
would be able to obtain a service outside their homes. While 
it is very beneficial for users, there would be a problem for 
CPs. If a user were to lose his/her copied secret keys, the CPs 
would be exposed to serious damage. 

To reduce such a thread, the system could be developed 
that enables users to take their secret keys with them in order 
to get content distribution services outside and while at the 
same time minimizing the damage of key exposure. One way 
to realize it would be to set a valid period for each secret key 
- that is, to give secret keys a temporal property. CPs allow 
users to copy only temporary secret keys and to bring them 
out. Even if the temporary secret keys were to be lost, the 
potential damage would be only during their valid periods. 

The secure traitor tracing scheme against key exposure 
(TTaKE), that we propose, is designed for such a content 
distribution service. The system meets the requirements of 
both CPs and users and is compatible with the current form 
of broadcasting. 

Our Contribution: We first define a TTaKE and then con- 
struct a TTaKE that is semantically secure against chosen 
plaintext attacks under the assumption of the Decision Diffie- 
Hellman problem (DDHP). This scheme combines the proper- 
ties of a TT and a forward secure public key cryptosystem. It 
enables identifying users from their secret keys and tracing at 
least one of the traitors who collude to make illegal decoders. 
Moreover, each user's secret key is updated periodically. This 
updating sets valid periods for users' secret keys and enables 
damage resulting from key exposure to be minimized. 

We compare TTaKE with a well-known TT scheme [8], 
[9]. We have confirmed that the data size of our scheme is 
the same as that of TT and that it fits in well with the current 
broadcasting system using TRMs, provides usability outside 



the home, and also protects CPs from key exposure. 
II. Definition 

A. Model 

A secure traitor tracing scheme against key exposure 
(TTaKE) is a public key system in which there is a unique 
encryption key and multiple decryption keys. The decryption 
keys are updated using the master key (MK). 

A CP first sets the period during which the service will 
continue, and this period is divided into T small periods. 
Then, it registers one pubUc key, which will not be changed, 
and distributes different MKs and initial secret keys (IKs) to 
users. These MKs are stored in each user's physically secure 
device (SD). The user secret key, SKu,u for a time period t is 
updated periodically. The user can receive the service at any 
time and in any location by using SKu,i stored in a portable 
memory device (PM), which he/she can carry. The content is 
encrypted using t and distributed. To update SKu,u a partial 
secret key, SK^ ^, is first made and then SKu,t is calculated 
using SKu,t-i and SK'^^f. 

In this scheme, if authorized users collude to make a PD 
and the number of colluders is less than k, more than one of 
them should be traceable. Furthermore, even if m secret keys 
of the T periods have been exposed, there is no exposure of 
the other keys' information. 

We describe this model formally as follows. 
Definition 1: A TTaKE consists of following six polynomial 
time algorithms (Gen,Upd*,Upd,Enc,Dec,TT). 
Gen: Public key and user secret key generation algorithm. 
This is a probabilistic algorithm which takes as input a security 
parameter, s, the total number of users, N, the maximum 
number of colluding users, k, the total number of time periods, 
T, the maximum number of times of key exposure per user, 
m, the maximum number of times of key exposure per period, 
kr, and the maximum total number of key exposures, rriT- It 
returns a public key, PK, user master keys, SK^, ■ ■ ■ , SK"^, 
user initial keys, SKi^, ■ ■ ■ , SK^^, and secret information to 
trace users, /. 

Upd*: Device key updating algorithm. This is a deterministic 
algorithm which takes as input time period index, t {1 < t < 
T), and SK*. It returns a user partial secret key, SK^ j. 
Upd: User key updating algorithm. This is a deterministic 
algorithm which takes as input t, SK^ j, and SKu,t-i- It 
returns SKu,t- 

Enc: Encryption algorithm. This is a probabiUstic algorithm 
which takes as input PK, t, and a message, M. It returns a 
ciphertext, C :—< t, Head >. 

Dec: Decryption algorithm. This is a deterministic algorithm 
which takes as input SK^^t and C. It returns M, or a special 
symbol, _L. We require the following for all messages: 

Dec(5'X„,t,(Enc(i, PK, M)) = M 
TT: User tracing algorithm. This is a deterministic algorithm 
which takes as input PK, f, and {SKp.^t}. It returns one of 
the suspected traitors' IDs, p G {pi}. 

Black box traitor tracing is not considered in this paper, but 
we will study it in the future. 



Next, we define a pirate decoder, PD, which decrypts 
encrypted content for all periods correctly. We do not consider 
a temporary pirate decoder, which is not very useful for users. 
We describe PD as follows. 

PD: Pirate decoder. This must correctly decrypt a vaUd cipher- 
text generated by Enc for all service periods. 

B. Security 

Here, we address the security definition of a TTaKE. A 
TTaKE is considered secure if for a confiscated pirate decoder, 
one of the traitors can be identified or it cannot decrypt any 
ciphertext at a target time period t which is chosen by an 
adversary. More precisely, it is required that 

• for a given PD, TT of the TTaKE can detect one of the 

authorized users' IDs who collude to make a PD. 
> without any PDs, any adversary cannot obtain any in- 
formation on the distributed content for the target time 
period, t. 

We describe three kinds of security as follows. 
Definition 2: Let n=(G8n,Upd*,Upd,Enc,D8C,TT) be a 
TTaKE. When less than k users (traitors) extract their MKs 
and collude to make a PD, if the scheme can trace at least 
one of the traitors, then 11 is (fc, N)-traceable. 

Next, we define {m,T,kT,mT)-indistinguishability, which 
addresses semantic security against an adversary who can 
(non-adaptively) obtains exposed secret keys from honest 
users. Similar to the standard definition of semantic security, 
for a given public key, PK, an adversary chooses a time 
period, t*, and a pair of messages with the same length, Mq 
and Ml, and submits them to a left-or-right encryption oracle, 
which returns a challenge ciphertext c* := Enc{t* , P K , M},) 
for b Gr {0,1}. A TTaKE is considered semantically secure if 
any probabilistic polynomial time Turing machine can answer 
the correct value of b with probability of at most 1/2+a 
negligible value. In our definition, (randomly chosen) exposed 
keys, SXVICEy* , from legitimate users are also given to the 
adversary, and he may use these keys for the attack with a 
restriction that t* may not be identical to a valid time period 
of any exposed key. See also Def. 1 for other restrictions for 
the number of exposed keys with respect to m, fcy and m^. 
Definition 3: Let 11 = (Gen, Upd*, Upd, Enc, Dec, TT) be a 
TTaKE. Let A = {A find, Aguess) be an adversary. Define the 
success probability of guessing the value of b as follows: 

SuccA,n{s, k, N, m, T, kx, mr) '= Pr[ 

{PK, SK*,---, SK*f„ SK,,o, SKn,o, f) 
<— Gen(l*, k, N, m, T, kT,mT); 

sxricsy* er {sxricsy] 

EXVlCSy c {SKu,t}i<u<N, i<t<T, 
\£XVK.ey\ < rriT, 

\£XVlC£y n {5if„,t}i<„<;v, t=t'| < kT 

Vt'e{l,---,T}, 

\£XVlC£yc^{SKu,t}u=u', i<t<T\ < m 

Vw'e{l,---,iV}}; 



{t\Mo,hh,a) <- Aj,^d{PK,£XV1C£y*)- 
h £r {0,1}; c* ^ Enc{t*,PK,Mb); 
b' ^ Aguess{PK,a,c*) : 
b' ^b] 

where a is side information obtained by A find- Then 
n is {m,T, kT,mT)-indistinguishable if for any adversary 
\SuccA,nis, k, N, m, T, kr, rriT) ~ 5I is neghgible. 
Definition 4: Let 11 — (Gen, Upd*, Upd, Enc, Dec, TT) be 
a TTaKE. 11 is {k, N,m,T, kT,mT)-secure if it is {k,N)- 
traceable and (m, T, fc-r, 'TJT)-indistinguishable. 

Intuitively, (fc, iV, m, T, A;t, TOT)-security impUes that it is 
impossible to produce a PD that can decrypt ciphertexts 
at all time periods and simultaneously guarantee that no 
colluder can be detected. When traitors make a PD, it is 
meaningless to consider semantic security, so we consider 
the traceability described in Definition 2. On the other hand, 
when an adversary gets exposed secret keys, which are valid 
during certain periods, the content of the other time periods 
should be safe, so it is important to consider semantic security 
in Definition 3. Hence, we consider that a TTaKE can trace 
traitors, is semantically secure against accidental key exposure, 
and totally has the (fc, N, m, T, fc-r, mT)-security described in 
Definition 4. 

III. (fc, N, m, T, kr, tot)-Secure Traitor Tracing 
Scheme against Key Exposure 

We demonstrate a (fc, N, m, T, kx, mx)-secure traitor trac- 
ing scheme against key exposure {{k, N,m,T, kT,mT)- 
TTaKE), which is based on the corrected Kurosawa-Desmedt 
traitor tracing scheme (KD) [9] and the (m, T)-key-insulated 
public -key scheme (DKXY) [7]. We review these two schemes 
below. After that we describe a (k, N,m,T, kx, mr) -TTaKE 
in Subsection IIII-CI 

A. Corrected Kurosawa-Desmedt Traitor Tracing (KD) [9] 

This scheme is a public key scheme that has multiple secret 
keys for one public key. 

Key Generation (I'', fc, Af): Let p and q be primes, where 
q \ p—1 and the size of \q\ is s, and let Gg be a subgroup of Z* 
of its order q. All calculations are executed on Zp. A CP selects 
a generator, g G Gq, then chooses a random polynomial, 
f{x) := Y^lto^ Oi^*' where e Z, (i 0, • • • , 2fc - 1), 
publishes its public key, PK := {g,p,q,yo,yir ■ ■ ,y2k-i), 
where j/,; = g°'% and sends a personal secret key, di :— f{ui), 
to each user, Ui{i = 1, 2, • • ■ , N). 

Encryption (Pi^,M): A CP selects a random number, r, and 
produces Head := (y, zq, zi, • • ■ , Z2fe-i), where y = g^,zo — 
MyQ and Zi — yl{i = l,---,2fc — 1), using PK and a 
message, M. Then it sends Head to each user 
Decryption (TJead, di): Each user, Ui, computes M from 
Head using di as follows: 



In [9], it is shown that this scheme can trace at least one 
traitor out of k traitors and that the scheme is secure against 



linear attacks of k colluders [10]. Moreover, the scheme in [9] 
includes a scheme for black box traitor tracing. 

B. {m,T)-Key-Insulated Public-Key Scheme (DKXY)[7] 

This scheme is a secure public key scheme against key 
exposure that can tolerate m times key exposure. It uses 
two generators to achieve security against adaptive attacks. 
Below, for simplicity, we show its construction with only one 
generator. It is secure against non-adaptive attacks. 
Key Generation(l'*, m, T): Let p and q be primes, where 
q \ p — 1 and the size of \q\ is s, and let Gq be a subgroup 
of Z* of its order q. All calculations are executed on Zp. 
A user selects a generator, g G Gq. He chooses a random 
number, a* E Zq, and calculates y* = 5°' (z = 0, • • • , to). He 
then makes a public key, PK := {g,p, q,yQ, - ■ ■ , Vm)^ ^ MK, 
SK* :— (aj, • • • , a^), and an IK, SKq := Og. He publishes 
PK, stores SK^ in a PM and SK* in his SD. 
Device Key Update (t, SK*): The SD calculates a partial key, 
SK't — Ejli a*(V -{t- 1)J), using SK*, and then sends 
SKf to the user 

User Key \Jpdale{t,SK'f.,SKt-i): The user calculates 
SKt := SK[ + SKt-i, using SK[ sent by SD and SKt-i, 
and stores SKt- 

Encryption (t, PK, M): A CP chooses a random number, a e 
Ijq, then calculates yt := YYJLoiyj)*^ ^ encrypts a message, M, 
produces a ciphertext, C := {g", y"M), combines it with the 
time period t and sends (t, C) to the user. 
Decryption(C, S'i^t): The user decrypts C := {y,zt), using 
SKt. He then gets M, through the following calculation: 

C. {k,N,m,T,2k~l,2k{m + l)-l)-TTaKE 

A {k,N,m,T,2k - l,2fc(m + 1) - l)-TTaKE combines 
properties of both KD and DICXY. We propose a way to 
construct a {k,N,m,T,2k - l,2k{jn + 1) - l)-TTaKE. 
It also employs only one generator and is secure against 
non-adaptive attacks. 

Gen(l^fc,7V,TO,T,2fc - l,2fc(TO + 1) - 1): Let p and 
q be primes such that q \ p — 1 where the size of 
\q\ is s and let Gq be a subgroup of Z* of order q. 
All calculations are executed on Zp. The CP selects a 
generator, g G Gq, and random numbers, a^j G Zg 
(i ~ 0, 1, • • • , 2fc — l;j — 0, 1, • • • , to), makes a two- variable 
polynomial, f{u,t) :— X]i=o ^ X^j^o ^"'^ publishes 
its public key, PK := {g,p,q, g"-"-" , g''°'\ ■ ■ ■ , g"^''-^'^). 
Then it makes each user's MK, SK* := 

/\-~\2k—l i ^r-~\2k—l i ^r-~\2k — l i\ 1 

(Li=o «i,i" 'Li=o «i,2W , • • • , Li=o flj,™^ )' and 
IK, SKufi ■= J2i=o aifiU^ (u = 1,2, •■•,7V), and sends 
them to each user. The users store SKu,o in their PMs and 
store SK* in their SDs. 

[Jpd* {t,SK*): The SD calculates a partial key, 
SK't := E;"! z*{P ~{t- m, where z* := E?'o ' «^.^% 
using t and S'-ftT* and then sends SKt to the user. 
\^'p6{t, SK^ t, SKu,t~i)'- The user calculates his/her secret 
key, SKu,t — SK^ t + SKu,t-i using SK^ t sent by his/her 



SD and SK^.t-i, and stores it. 

Enc(i, PK, M): The CP chooses a random number, a G 1q, 
and produces Head{t) (y, Zf.o, Zi^i, • • • , zt.2k-i), 

where y = g",zt,o = M(n;" o((ff"°")*' )" and 
= (nr=o((5"-0*'r(« = l,---,2fc-l), using 
PK, a message, Af, and t. Then Head{t) is combined with 
t and a ciphertext, C :=< t, Head{t) >, is created. 
Dec(C, S'/C„_t): The user decrypts C, using SKu,t- He then 
obtains M, through the following calculation: 

^ y^'^^.t 

TT{PK,f{u,t),SKp,t): When a PD is found, a secret key, 
SKp^t is checked and one of traitors, p, is identified. We 
describe this tracing algorithm in Subsection IIV-AI 

We emphasize that it is crucial to update SKp t in each time 
period, to prevent an adversary from re-using the same secret 
keys in different time periods. 

IV. Security Analysis 

A. Tracing Traitors 

When k traitors collude to make a PD, they don't want to 
be identified, so they may try to make a PD that includes a 
different user's identification and secret key. However, creating 
them is as complex as the discrete logarithm problem (DLP), 
so the identification and the secret key included in the PD 
must be those of one of the colluding members. By detecting 
the identification, one of the traitors can be traced. As a result, 
it is (fc, iV)-traceable described in Definition 2. 
Theorem 1: The proposed scheme is a (fc, iV)-traceable 
scheme as described in Definition 2 assuming the difficulty 
of the DLP on G,. 

Proof: When a PD is confiscated, the user identification 
and secret key (ui, /(ui, ti)), • • • , (ut, /(mt, ^t)) contained 
in it are exposed, or the user identification and MK and IK, 
{u, SK*, SKufi) contained in it are exposed. In the former 
case, our scheme can trace one of k traitors with a secret key 
{ut , f{ut ,tp) of one time period tp. In the latter case, the 
IK is regarded as a secret key of time and the same traitor 
tracing algorithm is used. 

Formally, we can show that an adversary who can make 
a PD, which includes the identification and a secret key for 
a time period t of a user who is not one of the k traitors, 
can solve the DLP with non-negligible probability. To solve 
the DLP {g,p,y = g^), we perform the following steps SI 
through S8. 

SL Choose random numbers di, - ■ ■ ,dk G Gg. 

52. Set the matrix U P for Upi, ■ ■ ■ , Upk as 

/ Upi ••■ m|i \ 

Up2 ■■■ 

UP = 

\ ^Ik ■■■ Upk I 

Here, UP has an inverse matrix UP^^, because it is a 
Vandermonde matrix. 

53. Let {upj^i, ■ ■ ■ ,upj^k) be the j'th row of matrix UP^^ 
and calculate bj = upj^idi + upj^2d2 + • • • + upj^^dk- 



54. Set = , and g"-' = 1, (^ = 
1, • • • ,to). 

55. Set the pubHc key as PK := 

rn rn m 

(g, p, g, y, iT^, <?"' ° , iT^, • • • , <?'''= ° , iT^, 1, • • • , 1) 
and the traitors' secret keys {upi, SKpi,t){i — l,---,fc) as 

SKpii — di 

56. Send PK and the traitors' secret keys of time period t to 
the adversary. 

57. The adversary returns a new identification and its secret 
key of time period t, {up, dp). 

58. Calculate the coefficients of ft{x) = X]i=o ^ bix'\ where 
b, = 0(2fc - 1 > i > k + 1), di = ft{upi){i = 1, • • • , fc) and 
dp = ft{up). Also ttifl — bi,{i = 0,---,k). Among these 
coefficients, ao,o becomes the solution to the given DLP. 

This result contradicts the difficulty of the DLP. Hence, 
there is no such algorithm which can make a new identification 
and its secret key. 

We now show that our scheme's traceability is reduced 
to that of KD and that our scheme is secure against linear 
attacks of k colluders [10]. User it's secret key in time period 
t is as follows: SKu = X]i=o ^ SJLo '^^i"*^"'- another 
expression, SKu = Y^'i'Lo^ biu'\ where bi — Y^"Lo'^i,j^'' ■ 
These coefficients, bi{i = 0, ■ ■ ■ ,2k — 1), do not depend on 
u. Hence, the polynomial's degree on u to calculate SK^ is 
2k — 1. In KD, SKu is calculated as the polynomial, SKu = 
E?=o ^ o.iU^- This structure is the same as that of our scheme 
(SKu — X]?=o ^ ^i"*)' hence, our scheme's traceability can 
be reduced to that of KD. Moreover, KD's security against 
a linear attack is proven if this polynomial's degree on u is 
greater than 2fc — 1 [11], [9]. The degree on u of our scheme 
is also 2fc — L As a result our scheme is secure against a linear 
attack. 

Furthermore, a black box tracing scheme is described in [9]. 
We suppose that a similar black box tracing scheme could be 
applied to our scheme, and we will try to do so in the future. 

B. Chosen-Plaintext Security Based on DDHP 

In the above, we showed that our scheme is a (fc, A^)- 
traceable one. Here, we show a proof of (rn, T, 2fc — 1, 2fc(m + 
1) — l)-indistinguishability for our scheme and that overall, it 
is a (fc, TV, m, T, kr, 2fc(m+l) — l)-secure TTaKE as described 
in Definition 4. First we show that the scheme is semantically 
secure against a passive adversary, assuming the difficulty 
of the DDHP on Gq. The assumption is that no polynomial 
time algorithm can distinguish with non-negligible advantage 
between the two distributions D =< gi, g2, gf, 92 > and 
R =< .91, 52, ffi , 32 >' where gi and g2 are generators chosen 
at random in Gg, and a and b are chosen at random in Z,. 
Theorem 2: The proposed scheme is an (to, T, 2fc * (to + 
1) — l)-indistinguishable scheme as described in Definition 3 
assuming the difficulty of the DDHP on Gq. 
Proof: Assuming that there exists a probabilistic polynomial 
time adversary A which can break our scheme, we show that 
it is possible to construct another adversary B which can solve 
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the DDHP with a non-negligible advantage. 

For an input (gi, 52, hi, h2), B solves the DDHP as follows. 
First, B chooses 2fc(m + 1) — 1 exposed keys according to the 
restrictions in Definitions 1 and 3, and also set the values of 
these keys uniformly at random from Z^. Let EXVICSy* be 
the set of these exposed keys. 

B also sets ao,o = loggi 52, and by Lagrange 
interpolation, calculates a public key PK — 
{9i,P,q,9T'\9T'\-:-.9T-'n such that f{u,t) 
J2i=o Sjlo '^i,^ passes through all points in EXVJCSy* 
and g1°'° ~ g-z- Notice that this calculation can be performed 
without knowing ao,o = logg^ 52 and there exists at least one 
f{u,t) which satisfies the above requirement. 

Next, B gives PK to A, and A submits a query 
{t* , AIq, Ml) to the left-or-right encryption oracle. On re- 
ceiving this, B sets Oq q — log^^ /12, and by Lagrange 

interpolation, calculates (/i"" ", , ft."^''"^ such that 

f'{u,t) := X]i=o^ Ejlo '^i J passes through all points in 
EXVICSy* and hf-" = h2. Note that = f{u,t) if 

loggi 52 = log/,j ^2- S then picks b Gu {0,1} and returns 
a challenge ciphertext c* (y*, z^^q, ^t*,!, • • • , ■2f,2fc-i) 
such that y* = hi, Zf^o = nr=o(C" ^t%» = 

n;"o(^^f (^ = l,•••,2fc-l). 

It is clear that if {91,92, hi, /i2) is a DDH-tuple, then c* is 
a valid ciphertext of Mi,. On the other hand, if it is a random 
tuple, it is information theoretically impossible to obtain any 
information on b, due to the randomness of "log;,^ /i2"- Letting 
b' be A's output, B outputs D if b' = b, otherwise, B outputs 
R. Consequently, B solves the DDHP with a non-negligible 
advantage. 

V. Comparison 

We compare our scheme (TTaKE) with KD with respect 
to data size and computational cost (CPU cost). The results 
are shown in Table |l] The CPU cost results show only their 
dominant values. 'Mul' denotes those of multiplication, and 
'Exp' denotes those of exponential calculation. 

The header size in TTaKE is the same as that in KD. 
However, the public key size of TTaKE is larger than that 
of KD. The user stored data size of TTaKE is also larger 
than that of KD. When we consider the security against key 
exposure during T service periods, KD needs to update its 
public key and its user stored data at the beginning of each 
period. Through this updating process, the total size of public 
keys and user data are T * {2k + 3) and T, respectively. As T 
exceeds m, these sizes are greater than those of TTaKE. 



In terms of CPU cost, TTaKE needs to update the user 
secret key, but this is unnecessary with KD. The CPU cost of 
encryption with TTaKE exceeds that of KD. The CPU cost 
of decryption with TTaKE is the same as that of KD. When 
we also consider the security against key exposure during T 
service periods, a CP needs to generate all the user's secret 
keys. This generation needs T * N * {2k — 1) * (fc + 1) times 
multiplication calculation. Furthermore, secret communication 
is needed to send secret keys to each user 

Overall, our scheme is efficient in terms of user data size, 
CPU cost and communication cost, when we consider security 
against key exposure during T service periods. However, its 
public key size and the CPU cost of encryption rises with 
fc, m, so these should be reduced. Moreover, a black box traitor 
tracing scheme should be studied in the future. 

VI. Conclusion 

We have proposed a secure traitor tracing scheme against 
key exposure ((fc, A^, m, T, fcr, TOt) -TTaKE). Our scheme is 
based on KD [9] and DKXY [7] and it uses of a polynomial 
with two variables (user ID and time). Its traceability is based 
on the difficulty of solving the DLP Semantic security of the 
encryption scheme against a passive adversary was achieved 
based on the DDHP 

To conclude, we mention an application of our system to 
protect copyrighted works against piracy. CPs need an effective 
TT. Furthermore, in the "anytime and anywhere TV" [12] 
being considered, users will need to carry their secret keys 
for self-identification, which places secret keys at risk of 
exposure. Potential damage due to secret key exposure should 
be minimized. 

Using our scheme, traitors can be traced and the damage 
from secret key exposure can be minimized. 
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